Installing OpenVPN on a Raspberry Pi
So now that you have a Raspberry Pi, what can you do with it? One interesting option is to install an OpenVPN server on it. This will allow you to connect to your own home network – and browse the internet as if you were home – from wherever you are in the world. This is great if you don’t trust the public Wi-Fi hotspot in your local coffee shop (you shouldn’t trust it!), or if you find yourself on a public network that limits your access to certain information (e.g. internet on a bus, or internet with a content filter). Of course, it is also a great way to watch your favourite Netflix series while abroad.
Luckily, installing OpenVPN has become a lot easier lately thanks to a number of great scripts that do all the hard work for you. I particularly like PiVPN for its simplicity and flexibility, so lets use that one. To get started, you will need a fully installed Raspberry Pi system and you need to be logged in to your Raspberry Pi. Once you have that sorted out, type:
curl -L https://install.pivpn.io | bash
Be careful of online installation scripts!
It’s generally a bad idea to run installation scripts in this way. This statement will get the script from https://install.pivpn.io and will then execute whatever is in the script on your Raspberry Pi. This is like opening a can of worms, as there may be some very sneaky things in there. I would definitely advice you to have a look at the script before you execute the statement above, and to verify that the website is using a valid certificate and you have a secure connection to the website.
The script will now be downloaded from the website and will start to execute. As I mentioned already, the script is really great at simplifying things and splitting everything up in manageable steps. As the first step, the script will install all the necessary packages that are needed to set up OpenVPN.
Once all the packages are downloaded and installed, the script will greet you to acknowledge that it is ready to create your OpenVPN server.
Since you are installing a server, it is important that this particular Raspberry Pi is always accessible through the same IP address. To make that possible, you need a so-called static IP address. The script will set things up for you on the side of the Raspberry Pi, but you probably also need to look up how to do that on your own router. Sadly, since there are so many types and shapes of routers, I cannot help you out with that part. Luckily, this is a common administrative tasks so it should be well-documented in your router’s manual. On the side of the Raspberry Pi, the script will walk you through 3 different screens to complete the transformation to a static IP address on the Pi:
With the static IP in place, it is now time to select the user that will hold the OVPN profiles. These profiles, which are just simple files, hold all the information for an OPenVPN app to connect to your OpenVPN server. If you followed the steps on how to do a basic set up of a Raspberry Pi, then only one user will be shown and you can go ahead and select that one.
Since this will be a server, it is also important to have unattended upgrades configured. This will ensure that the packages on your system are kept up-to-date, even if you don’t do so manually. If you followed the steps on how to do a basic set up of a Raspberry Pi then you already have unattended upgrades configured. In that case, chose not to enable them (again). If you don’t have unattended upgrades set up just yet, then I strongly recommend that you do.
The next step is to configure the protocol and port to use for your OpenVPN server. First, you have to chose the protocol. If in doubt, simply use the default option.
TCP to avoid censorship
Different people use VPNs for different reasons. If you want to use a VPN to avoid censorship, then you may want to select TCP here. If you are unsure, read the next hint on port selection as well. One of the best ways to avoid censorship with a VPN is if you use TCP on port 443. For most other uses UDP is probably a better choice though.
With the protocol selected, you can now select (and then confirm) the port to be used. Once again, you can stick to the default option if in doubt.
Not all ports are created equal
An easy way for public Wi-Fi hotspots to limit the things you can do is to block ports. Ports can be anything from 1…65535, but some are known to have a special use (for example: 1194 is commonly used for OpenVPN). Three ports that are practically impossible to block are 80 (HTTP), 443 (HTTPS), and 53 (DNS). If you want your VPN to be accessible wherever you go, you may opt to use one of these ports instead of the standard 1194. If the network you connect to also employs deep-packet inspection, then the best choice is 443. Both OpenVPN and HTTPS are used to send a lot data, all of which is encrypted. Their traffic patterns aren’t exactly the same, but only few inspection tools are good enough to detect the difference.
Enable port forwarding in your router
Before you will be able to access your OpenVPN server, you will also need to enable port forwarding in your router. You want all incoming traffic on the port you have chosen (e.g. 1194) to be forwarded to the static IP address of your Raspberry Pi which is your OpenVPN server. Like before, I can’t give you the steps to accomplish this, but the manual of your router will provide you with this information.
At this stage, the script has almost all the information it needs. It can now go ahead and generate all the required keys. To do so, you need to make a final choice which is the length of the encryption key. Choosing a 2048-bit encryption key is a good choice. It will make your OpenVPN setup much more secure than with a 1024-bit key. Using a 4096-bit key is still somewhat overkill – it will take much, much longer to generate the keys and the added security benefit is negligible.
The script now has all the information needed to generate the keys, and the script informs you of which keys it will generate.
Once you click the confirm, the menu will disappear and you will see a lot of activity in your terminal. Don’t worry about this. Notice how it says This is going to take a long time. This is not an empty warning. It really will take a long time. So go do something else. Go grab a coffee. Go read a book. Go write a book. As a rough estimate, it can be as quick as only requiring 5 minutes on a Raspberry Pi 3. If you are doing this on a Raspberry Pi Zero, except this process to take up to an hour.
After a long time, the key generation will be completed and you will return to the script menus. You are almost done now, and you only need to make two more choices. The first choice is how you will access your OpenVPN server. You can either do this by using the IP address, or by using a DNS entry. This last option will allow you to connect to the server even if your IP address changes, but it does take some more work to set up. For most users it is probably easier to simply use the public IP address to connect.
The final choice you have to make is which DNS servers to use. I always prefer OpenDNS, but any of these first 5 options are good.
This concludes the installation. The script now informs you how you can add users, but lets get back to that later.
The next screen suggests that you reboot to finish the installation. This is indeed a good idea, so confirm with
<Yes> and confirm on the next screen.
Once your Raspberry Pi has had the chance to restart, just log back into it. Once logged in, you can create a new OpenVPN profile. To do so, type:
pivpn add nopass
This will allow you to create a profile that simply contains the keys to connect to the OpenVPN server. A password will not be necessary, which will make it easier to use – just make sure you keep the generated profile safe! Once you execute the above command it will ask the desired name, and it will then create the profile. That’s it. You can create as many profiles as you want, and everyone who will be connecting to your OpenVPN server will need one. All of the profiles will be saved in the
ovpns folder on your Raspberry Pi. After you have created all the required profiles, you can copy all of them to your main computer. If you are using MacOS, you would type the following to copy all the files from the Raspberry Pi to your desktop:
scp email@example.com:/home/username/ovpns/*.ovpn ~/Desktop/
where you replace
username with your username on the Raspberry Pi (you need to change it in two different places), and hostname with the hostname you chose for this Raspberry Pi. All profiles will now be on your Desktop, ready for you to share them with friends and family. Be careful with this. Remember that every single profile is able to connect to your OpenVPN server. Safely exchange these profiles to make sure no one else finds them and uses them.
Tying up loose ends
The installation of OpenVPN completed, but there are still a few small changes to make.
disabling simultaneous connections
If you create profiles without a password, it’s probably better if you only allow a single connection at one time with one profile. To do so, type:
sudo nano /etc/openvpn/server.conf
This is the configuration file of your OpenVPN installation. In this file, look for a line that reads
duplicate-cn and replace it with
restricting internet speed
You also don’t want to make your own internet unusably slow because of all the people that are connected to your OpenVPN server. A great benefit of using a Raspberry Pi as a dedicated OpenVPN server is that you can use a quick-and-dirty solution to overcome this problem. What you will do on the next few steps is to limit the internet speed of your entire Raspberry Pi. If you don’t want to limit the internet speed of your Raspberry Pi, then just go to the next section.
To impose speed restrictions, you are going to use the
wondershaper package. To install it, you can type:
sudo apt-get install wondershaper -y
Once installed, all that is needed is to launch wondershaper and provide it with the desired speed. For example, if you want to limit the speed to 4Mbps and you are using the Wi-Fi of your Raspberry Pi, then you type:
sudo wondershaper wlan0 4096 4096
The value 4096 is obtained from 4Mbps by multiplying 4 by 1024. If your Raspberry Pi is connected using Ethernet and you want to limit the speed to 8Mbps, then type:
sudo wondershaper eth0 8192 8192
So what is a good speed? I usually settle on half the upload speed of my internet provider. My internet provider gives me 8Mbps upload, so in my case I would restrict the speed to 4 Mbps. This ensures that internet is still fast enough for my own use, even when lots of people are connected to my OpenVPN server.
You’re almost done. There is a small bug in PiVPN that prevents internet on your Raspberry Pi to be forwarded to the OpenVPN software. To correct this bug, lets start the correct tool whenever the Raspberry Pi is restarted. Also, only if you applied speed restrictions, you want these to remain active eveafter restarting the Raspberry Pi. To make these two things possible, l edit the
/etc/rc.local file. To do so, type:
sudo nano /etc/rc.local
You will see that this file already contains some text. You want to add the following two lines to the end of this file, but before the
exit 0 statement:
add netfilter-persistent start sudo wondershaper wlan0 4096 4096
Of course, you need to change the
wondershaper command to match the options you used earlier (i.e. you want to change
wlan0 if you use a different interface, and the two occurrences of 4096 if you want a different speed). The end of the file you are editing should thus look as follows when you are done:
add netfilter-persistent start sudo wondershaper wlan0 4096 4096 exit 0
When you are happy with the change, press
CTRL+X, followed by
y, and finally an enter to save the file and exit. Now is a great time to restart your Raspberry Pi:
sudo restart now
Once the Raspberry Pi is rebooted, your OPenVPN server is up and running and ready to be used! Whenever needed, you can log in to your server and use the
pivpn command to add, or potentially revoke, profiles. Otherwise, the Raspberry Pi will happily perform its job unattended and provide you with safe internet access wherever you go!